Posted
by
msmash
on Wednesday October 19, 2016 @01:20PM
from the security-woes dept.

Reader Trailrunner7 writes: Researchers have known for a long time that acoustic signals from keyboards can be intercepted and used to spy on users, but those attacks rely on grabbing the electronic emanation from the keyboard. New research from the University of California Irvine shows that an attacker, who has not compromised a target's PC, can record the acoustic emanations of a victim's keystrokes and later reconstruct the text of what he typed, simply by listening over a VoIP connection.

The researchers found that when connected to a target user on a Skype call, they could record the audio of the user's keystrokes. With a small amount of knowledge about the victim's typing style and the keyboard he's using, the researchers could accurately get 91.7 percent of keystrokes. The attack does not require any malware on the victim's machine and simply takes advantage of the way that VoIP software acquires acoustic emanations from the machine it's on.

While their specific research may be new, the results are hardly new. Its been nearly 11 years since more original research was released [berkeley.edu] with similar results. Looks like this may be the first time Slashdot has reported this though.

A comparable story was posted to Slashdot a little over a decade ago (early to mid 2000s?), though the percentages were lower that 91%, IIRC (it might have been based on your Berkeley link). I recall wondering if cubes next to mine could be susceptible to such "hacking" (i.e. spying).

I think the real difference is that the audio chain is no longer perfect - it's over VoIP and the audio has been compressed to favor voice over complete fidelity. So the audio of the typing would be distorted since it's not considered important audio. And even with this distortion is it possible to figure out which keys were pressed.

In the real world, there's a difference between "eh, we can probably do X" and actually doing the research to show that we can do X. I know, that's a hard concept for J. Random Slashdot Idiot to comprehend.

apt-get install bucklespring (there's a Mac build, dunno how do you install there -- or if you even still can install anything not from the App Store)

The author of this program [github.com] has sampled the sound of every key on a real Model M, so you can install this and pretend you have a keyboard for grown-ups. On the downside, everyone in your building can learn what you type without requiring a VoIP link.

This isn't shocking. If you can match an acoustic signature you can figure it out. There have been tons of these "research" projects coming out of Universities lately. I guess this is what passes for research nowadays. I can write a program that can identify any car that drives by with good accuracy just by recording the sound the engine makes and matching it against known engine sounds. Ridiculous.

so what you really mean is 'someone else already wrote a program to identify any car that drives by with good accuracy just by matching it against known engine sounds, and i can write a several-line script to call that program'

with an fft and engine sound database, you could get a not-too-terrible result in an hour or two just using nearest-neighbor methods. it's not totally trivial, but it's something i would expect an undergraduate to be able to do as homework.

try reading the paper about shazam's core method. it's amazingly simple (which isn't to say they haven't done a lot of work tweaking it of course).

I used a technique back in the early 1990s where anyone using internet relay chat would have their keystrokes appear on my end. It was also 100% accurate, no microphone needed, and able to capture hundreds -- no, thousands of users at a time. I could capture dozens of conversations lasting hours sorted into "channels". It was fun for a while, I really should get back into it.

Sorry, but I think this news is from 90s or early 00s. I still clearly remember the effort to decode the sound of the keyboard, but then it was working with a particular keyboard and it was told that application has to be trained to decode clicks of another keyboard.

the housefly cam that's recording video of your keyboard from the ceiling,and the laser pointed at your office window that is recording the window vibrations as you proofread by mumbling to yourself as you write.

Seriously, if it was possible to effectively translate the sounds made by a keyboard, then the computers used to record Confidential, Secret, and Top Secret data would all have to be located in windowless rooms where you could not capture said sounds.

That's funny.

As if some of us on here worked in such windowless rooms back in the 70s and 80s....